{{- define "node_exporter_resources" }}
cpu: 10m
memory: 25Mi
{{- end }}
{{- define "kubelet_eviction_thresholds_exporter_resources" }}
cpu: 10m
memory: 25Mi
{{- end }}

{{- if (.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
---
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
  name: node-exporter
  namespace: d8-monitoring
  {{- include "helm_lib_module_labels" (list . (dict "app" "node-exporter" "workload-resource-policy.deckhouse.io" "every-node")) | nindent 2 }}
spec:
  targetRef:
    apiVersion: "apps/v1"
    kind: DaemonSet
    name: node-exporter
  updatePolicy:
    updateMode: "Auto"
  resourcePolicy:
    containerPolicies:
    - containerName: node-exporter
      minAllowed:
        {{- include "node_exporter_resources" . | nindent 8 }}
      maxAllowed:
        cpu: 20m
        memory: 50Mi
    - containerName: kubelet-eviction-thresholds-exporter
      minAllowed:
        {{- include "kubelet_eviction_thresholds_exporter_resources" . | nindent 8 }}
      maxAllowed:
        cpu: 20m
        memory: 50Mi
    {{- include "helm_lib_vpa_kube_rbac_proxy_resources" . | nindent 4 }}
{{- end }}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: node-exporter
  namespace: d8-monitoring
  {{- include "helm_lib_module_labels" (list . (dict "app" "node-exporter")) | nindent 2 }}
spec:
  updateStrategy:
    rollingUpdate:
      maxUnavailable: 1
    type: RollingUpdate
  selector:
    matchLabels:
      app: node-exporter
  template:
    metadata:
      labels:
        app: node-exporter
      name: node-exporter
      annotations:
        container.apparmor.security.beta.kubernetes.io/node-exporter: "unconfined"
        container.apparmor.security.beta.kubernetes.io/kubelet-eviction-thresholds-exporter: "unconfined"
    spec:
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      hostPID: true
      serviceAccountName: node-exporter
      {{- include "helm_lib_priority_class" (tuple . "system-node-critical") | nindent 6 }}
      {{- include "helm_lib_tolerations" (tuple . "any-node") | nindent 6 }}
      {{- include "helm_lib_module_pod_security_context_run_as_user_deckhouse_with_writable_fs" . | nindent 6 }}
      containers:
      - image: {{ include "helm_lib_module_image" (list . "nodeExporter") }}
        name: node-exporter
        {{- include "helm_lib_module_container_security_context_capabilities_drop_all_and_add" (list . (list "SYS_TIME")) | nindent 8 }}
        args:
        - '--web.listen-address=127.0.0.1:9101'
        - '--path.rootfs=/host/root'
        - '--collector.ntp'
        - '--no-collector.wifi'
        - '--collector.ntp.server-is-local'
        - '--collector.processes'
        - '--collector.filesystem.mount-points-exclude'
        - '(^/(dev|proc|sys|run)($|/))|(^/var/lib/docker/)|(^/var/lib/containerd/)|(/kubelet/)'
# we want to ignore veth devices. Justification - https://github.com/prometheus-operator/kube-prometheus/pull/1224
# veth.* - for veth interfaces.
# [a-f0-9]{15} - for OVN veth interfaces.
# lxc.* - for Cilium veth interfaces.
        - '--collector.netclass.ignored-devices=^(veth.*|lxc.*|[a-f0-9]{15})$'
        - '--collector.netdev.device-exclude=^(veth.*|lxc.*|[a-f0-9]{15})$'
        - '--collector.filesystem.fs-types-exclude'
        - '^(autofs|binfmt_misc|cgroup|configfs|debugfs|devpts|devtmpfs|fusectl|fuse\.lxcfs|hugetlbfs|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|sysfs|tracefs|squashfs)$'
        - '--collector.textfile.directory'
        - '/host/textfile*'
        - '--collector.netstat.fields'
        - '^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_.*|Tcp_(ActiveOpens|InSegs|OutSegs|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts))$'
        volumeMounts:
        - name: root
          readOnly:  true
          mountPath: /host/root
          mountPropagation: HostToContainer
        - name: textfile
          readOnly: true
          mountPath: /host/textfile
          mountPropagation: HostToContainer
        - name: textfile-kubelet-eviction-thresholds-exporter
          readOnly: true
          mountPath: /host/textfile-kubelet-eviction-thresholds-exporter
          mountPropagation: HostToContainer
        resources:
          requests:
            {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }}
{{- if not ( .Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
            {{- include "node_exporter_resources" . | nindent 12 }}
{{- end }}
      - image: {{ include "helm_lib_module_image" (list . "kubeletEvictionThresholdsExporter") }}
        name: kubelet-eviction-thresholds-exporter
        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all" . | nindent 8 }}
        env:
        - name: MY_NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        volumeMounts:
        - name: root
          readOnly:  true
          mountPath: /host/
        - name: textfile-kubelet-eviction-thresholds-exporter
          mountPath: /var/run/node-exporter-textfile
        - name: dockersock
          mountPath: /var/run/docker.sock
        - name: containerddir
          mountPath: /etc/containerd
        - name: kube
          mountPath: /root/.kube
        resources:
          requests:
            {{- include "helm_lib_module_ephemeral_storage_only_logs" 10 | nindent 12 }}
{{- if not ( .Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
            {{- include "kubelet_eviction_thresholds_exporter_resources" . | nindent 12 }}
{{- end }}
      - name: kube-rbac-proxy
        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
        image: {{ include "helm_lib_module_common_image" (list . "kubeRbacProxy") }}
        args:
        - "--secure-listen-address=$(KUBE_RBAC_PROXY_LISTEN_ADDRESS):9101"
        - "--v=2"
        - "--logtostderr=true"
        - "--stale-cache-interval=1h30m"
        env:
        - name: KUBE_RBAC_PROXY_LISTEN_ADDRESS
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
        - name: KUBE_RBAC_PROXY_CONFIG
          value: |
            upstreams:
            - upstream: http://127.0.0.1:9101/metrics
              path: /metrics
              authorization:
                resourceAttributes:
                  namespace: d8-monitoring
                  apiGroup: apps
                  apiVersion: v1
                  resource: daemonsets
                  subresource: prometheus-metrics
                  name: node-exporter
        ports:
        - containerPort: 9101
          name: https-metrics
        resources:
          requests:
            {{- include "helm_lib_module_ephemeral_storage_only_logs" . | nindent 12 }}
{{- if not ( .Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
            {{- include "helm_lib_container_kube_rbac_proxy_resources" . | nindent 12 }}
{{- end }}
      volumes:
      - name: textfile
        hostPath:
          path: /var/run/node-exporter-textfile
          type: DirectoryOrCreate
      - name: root
        hostPath:
          path: /
      - name: dockersock
        hostPath:
          path: /var/run/docker.sock
      - name: containerddir
        hostPath:
          path: /etc/containerd
          type: DirectoryOrCreate
      - emptyDir:
          medium: Memory
        name: kube
      - emptyDir:
        name: textfile-kubelet-eviction-thresholds-exporter
      imagePullSecrets:
      - name: deckhouse-registry
